Introduction to advanced penetration testing
Vulnerability assessments
Penetration testing
Advanced penetration testing
Before testing begins
Determining scope
Setting limits — nothing lasts forever
Rules of engagement documentation
Planning for action
Installing VirtualBox
Installing your BackTrack virtual machine
Preparing the virtual guest machine for BackTrack
Installing BackTrack on the virtual disk image
Exploring BackTrack
Logging in
Changing the default password
Updating the applications and operating system
Installing OpenOffice
Effectively manage your test results
Introduction to MagicTree
Starting MagicTree
Adding nodes
Data collection
Report generation
Introduction to the Dradis Framework
Exporting a project template
Importing a project template
Preparing sample data for import
Importing your Nmap data
Exporting data into HTML
Dradis Category field
Changing the default HTML template
Summary
Chapter 2: Advanced Reconnaissance Techniques
Introduction to reconnaissance
Reconnaissance workflow
DNS recon
Nslookup — it's there when you need it
Default output
Changing nameservers
Creating an automation script
What did we learn?
Domain Information Groper (Dig)
Default output
Zone transfers using Dig
Advanced features of Dig
DNS brute forcing with fierce
Default command usage
Creating a custom wordlist
Gathering and validating domain and IP information
Gathering information with whois
Specifying which registrar to use
Where in the world is this IP?
Defensive measures
Using search engines to do your job for you
SHODAN
Filters
Understanding banners
Finding specific assets
Finding people (and their documents) on the web
Google hacking database
Metagoofil
Searching the Internet for clues
Metadata collection
Extracting metadata from photos using exiftool
Summary
Chapter 3: Enumeration: Choosing Your Targets Wisely
Adding another virtual machine to our lab
Configuring and testing our Vlab_1 clients
BackTrack – Manual ifconfig
Ubuntu – Manual ifconfig
Verifying connectivity
Maintaining IP settings after reboot
Nmap — getting to know you
Commonly seen Nmap scan types and options
Basic scans — warming up
Other Nmap techniques
Remaining stealthy
Shifting blame — the zombies did it!
IDS rules, how to avoid them
Using decoys
Adding custom Nmap scripts to your arsenal
How to decide if a script is right for you
Adding a new script to the database
SNMP: A goldmine of information just waiting to be discovered
SNMPEnum
SNMPCheck
When the SNMP community string is NOT "public"
Creating network baselines with scanPBNJ
Setting up MySQL for PBNJ
Starting MySQL
Preparing the PBNJ database
First scan
Reviewing the data
Enumeration avoidance techniques
Naming conventions
Port knocking
Intrusion detection and avoidance systems
Trigger points
SNMP lockdown
Summary
Chapter 4: Remote Exploitation
Exploitation – Why bother?
Target practice – Adding a Kioptrix virtual machine
Manual exploitation
Enumerating services
Quick scan with Unicornscan
Full scan with Nmap
Banner grabbing with Netcat and Ncat
Banner grabbing with Netcat
Banner grabbing with Ncat
Banner grabbing with smbclient
Searching Exploit-DB
Exploit-DB at hand
Compiling the code
Compiling the proof of concept code
Troubleshooting the code
Running the exploit
Getting files to and from victim machines
Installing and starting a TFTP server on BackTrack 5
Installing and configuring pure-ftpd
Starting pure-ftpd
Passwords: Something you know
Cracking the hash
Brute forcing passwords
THC Hydra
Metasploit — learn it and love it
Updating the Metasploit framework
Databases and Metasploit
Installing PostgreSQL on BackTrack 5
Verifying database connectivity
Performing an Nmap scan from within Metasploit
Using auxiliary modules
Using Metasploit to exploit Kioptrix
Summary
Chapter 5: Web Application Exploitation
Practice makes perfect
Installing Kioptrix Level 3
Creating a Kioptrix VM Level 3 clone
Installing and configuring Mutillidae 2.1.7 on the Ubuntu virtual machine
Installing and configuring pfSense
Preparing the virtual machine for pfSense
pfSense virtual machine persistence
Configuring the pfSense DHCP server
Starting the virtual lab
pfSense DHCP – Permanent reservations
Installing HAProxy for load balancing
Adding Kioptrix3.com to the host file
Detecting load balancers
Quick reality check – Load Balance Detector
So, what are we looking for anyhow?
Detecting Web Application Firewalls (WAF)
Taking on Level 3 – Kioptrix
Web Application Attack and Audit Framework (w3af)
Using w3af GUI to save time
Scanning by using the w3af console
Using WebScarab as a HTTP proxy
Introduction to Mantra
Summary
Chapter 6: Exploits and Client-Side Attacks
Buffer overflows—A refresher
"C"ing is believing—Create a vulnerable program
Turning ASLR on and off in BackTrack
Understanding the basics of buffer overflows
Introduction to fuzzing
Introducing vulnserver
Fuzzing tools included in BackTrack
Bruteforce Exploit Detector (BED)
SFUZZ: Simple fuzzer
Fast-Track
Updating Fast-Track
Client-side attacks with Fast-Track
Social Engineering Toolkit
Summary
Chapter 7: Post-Exploitation
Rules of engagement
What is permitted?
Can you modify anything and everything?
Are you allowed to add persistence?
How is the data that is collected and stored
handled by you and your team?
Employee data and personal information
Data gathering, network analysis, and pillaging
Linux
Important directories and files
Important commands
Putting this information to use
Enumeration
Exploitation
Were connected, now what?
Which tools are available on the remote system
Finding network information
Determine connections
Checking installed packages
Package repositories
Programs and services that run at startup
Searching for information
History files and logs
Configurations, settings, and other files
Users and credentials
Moving the files
Microsoft Windows™ post-exploitation
Important directories and files
Using Armitage for post-exploitation
Enumeration
Exploitation
Were connected, now what?
Networking details
Finding installed software and tools
Pivoting
Summary
Chapter 8: Bypassing Firewalls and Avoiding Detection
Lab preparation
BackTrack guest machine
Ubuntu guest machine
pfSense guest machine configuration
pfSense network setup
WAN IP configuration
LAN IP configuration
Firewall configuration
Stealth scanning through the firewall
Finding the ports
Traceroute to find out if there is a firewall
Finding out if the firewall is blocking certain ports
Now you see me, now you don't — Avoiding IDS
Canonicalization
Timing is everything
Blending in
Looking at traffic patterns
Cleaning up compromised hosts
Using a checklist
When to clean up
Local log files
Miscellaneous evasion techniques
Divide and conquer
Hiding out (on controlled units)
File integrity monitoring
Using common network management tools to do the deed
Summary
Chapter 9: Data Collection Tools and Reporting
Record now — Sort later
Old school — The text editor method
Nano
VIM — The power user's text editor of choice
NoteCase
Dradis framework for collaboration
Binding to an available interface other than 127.0.0.1
The report
Challenge to the reader
Summary
Chapter 10: Setting Up Virtual Test Lab Environments
Why bother with setting up labs?
Keeping it simple
No-nonsense test example
Network segmentation and firewalls
Requirements
Setup
Adding complexity or emulating target environments
Configuring firewall1
Installing additional packages in pfSense
Firewall2 setup and configuration
Web1
DB1
App1
Admin1
Summary
Chapter 11: Take the Challenge – Putting It All Together
The scenario
The setup
NewAlts Research Labs' virtual network
Additional system modifications
Web server modifications
The challenge
The walkthrough
Defining the scope
Determining the "why"
So what is the "why" of this particular test?
Developing the Rules of Engagement document
Initial plan of attack
Enumeration and exploitation
Reporting
Summary
Index